Lessons from the Drupal.org hack

Last night, the Drupal Association confirmed media reports that the Drupal.org site was hacked, with passwords and user registration information potentially compromised. 

Some Background

As security incidents go, we have all certainly seen far worse. For example, no credit card information was available to be stolen. It is, however, a major inconvenience for the 1 million registered users who have to change their passwords, and potentially a threat to those who use the same email/password combos on other sites.

The site owners have not yet shared the exact vulnerability, saying only that it was "third-party" software and not Drupal. Of course,"Drupal" can mean different things.  There's the "core," which is fairly aggressively tested and sealed, and then a plethora of third-party Drupal modules of varying provenance and security profiles. 

Two Lessons For You

In either case, there are at least two lessons here.

  1. Your Web CMS is only as secure as it's most vulnerable add-on module.  This applies to any platform that employs a module/plug-in architecture, as nearly all modern CMS tools do these days.  The sheer number of modules that many open source adherence brag about can be as much a curse as a blessing.
     
  2. You need to look at the security of your entire stack, and not just your CMS.  That seems obvious, but in any emphasis on application security, we tend forget that there's a whole range of potential vulnerabilities across each tier in your infrastructure, not least of which is the human tier.

So, is Drupal itself inherently insecure? I don't believe so. And again: in this case, we don't know yet what caused the breach. That said, in our Web CMS evaluations we give Drupal low marks for vulnerability since it is so frequently targeted, in part because 3rd-party modules can provide such fertile ground, and in part because it is so popular, including among novice administrators.

For a longer discussion on that latter point -- and on security more generally in the open source CMS world -- check out this earlier post, and related discussions.


Our customers say...

"The Web CMS Research is worth every penny!"


Gil, Partner, Cancentric Solutions Inc.
iStudio Canada Inc.

Other Web Content & Experience Management posts

Whither Sitecore Now?

It seems time for an answer to the question: what is Sitecore, really, circa 2023?

TeamSite Marriage Counseling

Some TeamSite implementations linger on, like a really bad relationship you can't seem to end. Maybe it's time for a clear exit?